cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
melipla
Explorer
Member since: ‎11-10-2010
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎11-10-2010
Activity Feed
View All

Re: Changing sourcetype of incoming TCP syslogs

by in Getting Data In
‎11-15-2010 09:25 PM
‎11-15-2010 09:25 PM
Well I only mentioned UDP because that is what syslog uses by default (udp/514). I think you have to use syslog-ng to see syslog over TCP (tcp/514). I'm still working on a resolution to this. Although I'm currently leaning towards this solution, where syslog messages are written to a file and then splunk parses the file: http://answers.splunk.com/questions/8912/syslog-ng-filter-by-ip ... View more

Re: How to get rid of a sourcetype?

by in Getting Data In
‎11-15-2010 09:11 PM
‎11-15-2010 09:11 PM
I don't believe this is possible. I haven't modified the transfroms.conf file, but what is in there doesn't have any host renaming. Could it be something that the indexer has learned? I'm definitely still seeing entries for this non-existent inputs.conf entry still. Maybe I just need to tell splunk to unlearn it? Thanks. ... View more

Re: Changing sourcetype of incoming TCP syslogs

by in Getting Data In
‎11-11-2010 01:50 AM
‎11-11-2010 01:50 AM
Did you find an answer to your problem? I have a similar issue, which is why I ask. As for your configuration, are you sure your syslog messages are arriving via TCP (as opposed to UDP)? ... View more

Re: How to get rid of a sourcetype?

by in Getting Data In
‎11-11-2010 12:20 AM
‎11-11-2010 12:20 AM
I can try that, but it doesn't explain why the # after CustomLogs is increasing & the order of "Last Seen" is changing as well, where CustomLogs will occasionally be on top of the list as the last seen entry. It's like Splunk remembers it and any host that was logging with this previously is still using this sourcetype even though it's gone.... ... View more

How to get rid of a sourcetype?

by in Getting Data In
‎11-10-2010 10:07 PM
1 Karma
‎11-10-2010 10:07 PM
1 Karma
Somehow I've managed to get three different sourcetypes for syslog appearing in my search results: "syslog" 2,049,493,302 "udp:514" 5,392,394,302 "CustomLogs" 1,100,303,223 Part of the problem is I tried setting up CustomLogs in the inputs.conf file: [udp://10.1.1.10:514] sourcetype = CustomLogs disabled = false host = customapp But then Splunk started assigning this sourcetype to hosts other than 10.1.1.10. So my bright idea was to change the inputs.conf entry to this: [udp://514] disabled = false sourcetype = syslog However after a restart I'm still seeing all three sourcetype counters increasing my indexer's splunk search page. I'm at a loss as to how this is possible since I've removed all reference to CustomLogs and yet it still continues to be matched. Please help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All